Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Why NOT to disable Real Time Antivirus on Servers

From: Warren V Camp <wcamp () cox net>
Date: Thu, 3 Nov 2005 18:50:08 -0500
At minimum you need AV protection on your file and email servers. Email servers should be inspecting all incomming and 
out going mail.

A new virus may strike and infect a PC before AV protect is available from the vendor.

How can you ensure that the AV safeguards on PCs are current and operating effectively in order to be certain that 
servers won't be affected. 




From: Kenton Smith <listsks () yahoo ca>
Date: 2005/11/02 Wed PM 05:47:28 EST
To: george.peek () gmx net,  security-basics () securityfocus com
Subject: Re: Why NOT to disable Real Time Antivirus on Servers

Aside from the standard defense-in-depth arguments
what about worms? I don't have any case studies and
since you're arguing with an engineer you'll need
plenty, however...
His argument is only holding true if you consider
email-borne viruses. If there is a self-propagating
worm, it is going to hit anything that will let it.
Now I know that anti-virus isn't the best way to
combat worms; it can still save your bacon.
Particularly on a server that has to have some common
open ports (25,110, etc). Plus what if someone puts an
outside machine on your internal network? If that
machine is infected with a worm it's going to go
straight for your unprotected servers.

Another argument for an Exchange server is that you
don't have RT scanning your Exchange folders anyway.
At least Symantec tells you not to do this, I'm sure
that other vendors do as well. If you do that, then
all your RT anti-virus is doing is watching for other
file changes on your server and there shouldn't be
very many of those.

Unless your servers are severely underpowered, why
would you not run it just for the added safety?

Kenton

--- george.peek () gmx net wrote:


Greetings,

An Engineer and I are having an argument about
keeping Real Time Antivirus disabled on servers.

His point is keeping Real Time Antivirus Enabled on
servers such as the Exchange Server takes a huge
performance hit on the server.

My argument is that keeping real time antivirus
software disabled defeats the purpose of PREVENTING
a server from being infected in the first place.
Once it is infected, it is all too late already. The
antivirus software is enabled on the workstations.

He argues that since all of the workstations have
the antivirus enabled, then there is no way for the
virus to get in.

Mine argument that a virus can still get in through
other means. I need examples and case studies to
refer to.

I would like to find different case studies or
scenarios where the real time antivirus was disabled
on the servers, enabled on the PCs, and the company
still got infected. Also, would like to find
solutions to enabling real time scan and stream
lining it so it does not affect the Exchange Server
as bad.

Would someone point me in the right direction or
post potential case studies.

Please post or email me.

George.peek () gmx net

Thank You





      

      
              
__________________________________________________________ 
Find your next car at http://autos.yahoo.ca
Previous By Date Next
Previous By Thread Next

Current thread: